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The use of interpolants in verification is gaining more and more importance. Since 
^^ . theories used in apphcations are usuahy obtained as (disjoint) combinations of simpler 

theories, it is important to modularly re-use interpolation algorithms for the component 
theories. We show that a sufficient and necessary condition to do this for quantifier- 
free interpolation is that the component theories have the 'strong (sub-)amalgamation' 
O^ , property. Then, we provide an equivalent syntactic characterization, identify a sufficient 

^— N , condition, and design a combined quantifier-free interpolation algorithm capable of han- 

C^ ' dling both convex and non-convex theories, that subsumes and extends most existing work 

^^ , on combined interpolation. 
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1 Introduction 

Algorithms for computing interpolants are more and more used in verification, e.g., in the 
abstraction-refinement phase of software model checking [16]. Of particular importance in 
practice are those algorithms capable of computing quantifier-free interpolants in presence 
of some background theory. Since theories commonly used in verification are obtained as 
combinations of simpler theories, methods to modular ly combine available quantifier- free 
interpolation algorithms are desirable. This paper studies the modularity of quantifier-free 
interpolation. 

Our starting point is the well-known fact [I] that quantifier-free interpolation (for universal 
theories) is equivalent to the model-theoretic property of amalgamability. Intuitively, a theory 
has the amalgamation property if any two structures A^i,7W2 in its class of models sharing 
a common sub- model Mq can be regarded as sub-structures of a larger model A4, called the 
amalgamated model. Unfortunately, this property is not sufficient to derive a modularity 
result for quantifier-free interpolation. As shown in this paper, a stronger notion is needed, 
called strong amalgamability |19j . that has been thouroughly analyzed in universal algebra and 
category theory |2ip28j . A theory has the strong amalgamation property if in the amalgamated 
model Al, elements from the supports of Ali, 7W2 not belonging to the support of Mq cannot 
be identified. An example of an amalgamable but not strongly amalgamable theory is the 
theory of fields: let A4q be a real field and A^i, A^2 be two copies of the complex numbers, the 
imaginary unit in Mi must be identified with the imaginary unit of 7W2 (or with its opposite) 
in any amalgamating field M since the polynomial x^ + 1 cannot have more than two roots 
(more examples will be discussed below, many examples are also supplied in the catalogue 
of [21] )• We show that strong amalgamability is precisely what is needed for the modularity 
of quantifier-free interpolation, in the following sense (here, for simplicity, we assume that 
theories are universal although in the paper we generalize to arbitrary ones): (a) if Ti and 
T2 are signature disjoint, both stably infinite and strongly amalgamable, then Ti U T2 is also 
strongly amalgamable and hence quantifier- free interpolating and (b) a theory T is strongly 
amalgamable iff the disjoint union of T with the theory £UJ- of equality with uninterpreted 
symbols has quantifier-free interpolation (Section [S]). The first two requirements of (a) are 
those for the correctness of the Nelson-Oppen method [5B] whose importance for combined 
satisfiability problems is well-known. 

Since the proof of (a) is non-constructive, the result does not provide an algorithm to com- 
pute quantifier-free interpolants in combinations of theories. To overcome this problem, we 
reformulate the notion of equality interpolating theory T in terms of the capability of comput- 
ing some terms that are equal to the variables occurring in disjunctions of equalities entailed 



(modulo T) by pairs of quantifier-free formulae and show that equality interpolation is equiv- 
alent to strong amalgamation (Section [3D . To put equality interpolation to productive work, 
we show that universal theories admitting elimination of quantifiers are equality interpolating 
(Section l4.ip . This implies that the theories of recursively defined data structures [27], Inte- 
ger Difference Logic, Unit-Two- Variable-Per-Inequality, and Integer Linear Arithmetic with 
division-by-n [6] are all equality interpolating. Our notion of equality interpolation is a strict 
generalization of the one in [35] so that all the theories that are equality interpolating in the 
sense of [32] are also so according to our definition, e.g., the theory of LISP structures |26j 
and Linear Arithmetic over the Reals (Section 14. 2p . Finally, we describe a combination al- 
gorithm for the generation of quantifier-free interpolants from finite sets of quantifier-free 
formulae in unions of signature disjoint, stably infinite, and equality interpolating theories 
(Section \^. The algorithm uses as sub-modules the interpolation algorithms of the com- 
ponent theories and is based on a sequence of syntactic manipulations organized in groups 
of syntactic transformations modelled after a non-deterministic version of the Nelson-Oppen 
combination schema (see, e.g., [21] )■ All the proofs are in Appendix [Bl The other Appendixes 
contain additional information on related topics, in particular Appendix IDJ connects equal- 
ity interpolation with Beth definability property, Appendix |E] investigates interpolation in 
presence of free function symbols and AppendixJF] supplies a formal counterexample showing 
that the convex formulation of the equality interpolation property is insufficient to guarantee 
combined quantifier-free interpolation for non-convex theories. 

2 Formal Preliminaries 

We assume the usual syntactic and semantic notions of first-order logic (see, e.g., |12j). The 
equality symbol "=" is included in all signatures considered below. For clarity, we shall use 
"=" in the meta-theory to express the syntactic identity between two symbols or two strings 
of symbols. Notations like E{x) means that the expression (term, literal, formula, etc.) 
E contains free variables only from the tuple x. A 'tuple of variables' is a list of variables 
without repetitions and a 'tuple of terms' is a list of terms (possibly with repetitions). Finally, 
whenever we use a notation like E{x, y) we implicitly assume not only that both the x and the 
y are pairwise distinct, but also that x and y are disjoint. A formula is universal (existential) 
iff it is obtained from a quantifier-free formula by prefixing it with a string of universal 
(existential, resp.) quantifiers. 

Theories, elimination of quantifiers, and interpolation. A theory T is a pair (S, Axt), 
where S is a signature and Axt is a set of S-sentences, called the axioms of T (we shall 
sometimes write directly T for Axt)- The models of T are those S-structures in which all 



the sentences in Axt are true. A S-formula (j) is T-satisfiable if there exists a model A4 
of T such that (p is true in M under a suitable assignment a to the free variables of (j) (in 
symbols, (A4,a) |= (p); it is T-valid (in symbols, T h 93) if its negation is T-unsatisfiable or, 
equivalently, (p is provable from the axioms of T in a complete calculus for first-order logic. A 
theory T = {Ti,Axt) is universal iff there is a theory T' = {Ti,Axt') such that all sentences 
in Axt' are universal and the sets of T-valid and T'-valid sentences coincide. A formula ipi 
T-entails a formula ip2 if V'l ~^ f2 is T-valid (in symbols, ipi h^ '^2 or simply 931 h c^2 when T 
is clear from the context). The satisfiability modulo the theory T {SMT{T)) problem amounts 
to establishing the T-satisfiability of quantifier-free S-formulae. 

A theory T admits quantifier- elimination iff for every formula </>(x) there is a quantifier- 
free formula <i)'{x) such that T \- (j) -^ <j)' . A theory T admits quantifier-free interpolation (or, 
equivalently, has quantifier-free interpolants) iff for every pair of quantifier-free formulae (f), ip 
such that ^pA(f) is T-unsatisfiable, there exists a quantifier-free formula 6, called an interpolant, 
such that: (i) ip T-entails 9, (ii) 6 A(p is T-unsatisfiable, and (iii) only the variables occurring 
in both ^p and (p occur in 9. A theory admitting quantifier elimination also admits quantifier- 
free interpolantion; the vice versa does not hold. A more general notion of quantifier-free 
interpolation property, involving free function symbols, is discussed in Appendix lEl 
Embeddings, sub- structures, and combinations of theories. The support of a struc- 
ture Ai is denoted with \M\. An embedding is a homomorphism that preserves and refiects 
relations and operations (see, e.g., [TO]). Formally, a T,-embedding (or, simply, an embedding) 
between two S-structures Ai and M is any mapping /i : |A4| — > \M\ satisfying the following 
three conditions: (a) it is a injective function; (b) it is an algebraic homomorphism, that is for 
every n-ary function symbol / and for every ai, . . . , a„ G \-M\, we have f {fi{ai), . . . , pi{an)) = 
//(/•^(ai, . . . , an))', (c) it preserves and reflects interpreted predicates, i.e. for every n-ary pred- 
icate symbol T, we have (oi, . . . ,a„) G P-^ iff (/i(ai), . . . ,iJi{an)) G P^ ■ If \M\ C \M\ and 
the embedding /i : Ai — > M is just the identity inclusion \M\ Q \J^\, we say that Al is a sub- 
structure of J\f or that A/" is a superstructure of A^ . As it is well-known, the truth of a universal 
(resp. existential) sentence is preserved through substructures (resp. superstructures). 

A theory T is stably infinite iff every T-satisfiable quantifier-free formula (from the signa- 
ture of T) is satisfiable in an infinite model of T. By compactness, it is possible to show that 
T is stably infinite iff every model of T embeds into an infinite one (see [2]). A theory T is 
convex iff for every conjunction of literals 6, if 5 \-t VILi -^^ ~ H^ then 5 \-t Xi = yi holds for 
some i G {1, ...,n}. 

Let Tj be a stably-infinite theory over the signature Sj such that the SMT(Ti) problem 
is decidable for i = 1,2 and Si and S2 are disjoint (i.e. the only shared symbol is equality). 
Under these assumptions, the Nelson-Oppen combination method [26] tells us that the SMT 



problem for the combination Ti U T2 of the theories Ti and T2 (i.e. the union of their axioms) 
is decidable. 

3 Strong amalgamation and quantifier-free interpolation 

We first generaHze the notions of amalgamabihty and strong amalgamabihty to arbitrary 
theories. 

Definition 3.1. A theory T has the sub- amalgamation property iff whenever we are given 
models A^i and A^2 of T and a common substructure A of them, there exists a further model 
A^ of T endowed with embeddings fii : A^i — > M. and /i2 : -M2 — > -M. whose restrictions 
to \A\ coincidelil 

A theory T has the strong suh-amalgamation property if the embeddings ^1,^2 satisfy 
the following additional condition: if for some mi,m2 we have iii{mi) = //2('7i2)) then there 
exists an element a in \A\ such that mi = a = 777-2. 

If the theory T is universal, any substructure of a model of T is also a model of T and 
we can assume that the substructure A in the definition above is also a model of T. In this 
sense. Definition 13.11 introduces generalizations of the standard notions of amalgamabihty and 
strong amalgamabihty for universal theories (see, e.g., [21] for a survey). The result of [1] 
relating universal theories and quantifier-free interpolation can be easily extended. 

Theorem 3.2. A theory T has the suh-amalgamation property iff it admits quantifier- free 
interpolants. 

A theory admitting quantifier elimination has the sub- amalgamation property: this fol- 
lows, e.g., from Theorem 13.21 above. On the other hand, quantifier elimination is not sufficient 
to guarantee the strong sub-amalgamation property. In fact, from Theorem 13. 51 below and the 
counterexample given in [5], it follows that Presburger arithmetic does not have the strong 
sub-amalgamation property. However, in Section HJ we shall see that it is sufficient to enrich 
the signature of Presburger Arithmetic with (integer) division-by-77 (for every ti > 1) to have 
strong amalgamabihty. 

Examples. For any signature S, let 8'UJ-{Ti) be the pure equality theory over S. It is easy to 
see that £UJ-{Ti) is universal and has the strong amalgamation property by building a model 
M of £lAJ-{Ti) from two models Mi and M.2 sharing a substructure Mq as follows. Without 



^For the results of this paper to be correct, the notion of structure (and of course that of substructure) 
should encompass the case of structures with empty domains. Readers feeling unconfortable with empty 
domains can assume that signatures always contain an individual constant. 



loss of generality, assume that \Mo\ = \Mi\ n |A^2|; let \M\ be \Mi\ U \M2\ and arbitrarily 
extend the interpretation of the function and predicate symbols to make them total on \M\- 
Let us now consider two variants ^A'ext and AX^^ff of the theory of arrays considered 
in [9]. The signatures of AX^xt and AX^^ff contain the sort symbols ARRAY, ELEM, and INDEX, 
and the function symbols rd : ARRAY x INDEX — > ELEM and wr : ARRAY x INDEX x ELEM — > 
ARRAY. The signature of AX^±ff also contains the function symbol dif f : ARRAY x ARRAY — > 
INDEX. The set AX^xt of axioms contains the following three sentences: 

^y,hj,e. i7^ j ^ rd{wr{y,i,e),j) =rd{y,j), ^y,i,e. rd{wr{y,i,e),i) = e, 

yx,y. X 7^ y =^ (3i. rd{x,i) j^ rd{y,i)) 

whereas the set of axioms for AX^±ff is obtained from that of AXext by replacing the third 
axiom with its Skolemization: 



Vx, y. X ^ y ^ rd{x, dif f (x, y)) ^ rd{y, dif f (x, y)) 



In [7j (the extended version of [9j ) , it is shown that ^<^dif f has the strong sub-amalgamation 
property while AX^xt does not. However AX^xt (which is not universal) enjoys the following 
property (this is the standard notion of amalgamability from the literatrure): given two 
models Mi and A^2 of AX^xt sharing a substructure Mq which is also a model of AX^xt, 
there is a model Al of AX^xt endowed with embeddings from TWi , M.2 agreeing on the support 
oi Mo- 

The application of Theorem 13.21 to SUTCE), ^-^diff, and AXcxt allows us to derive in 
a uniform way results about quantifier-free interpolation that are available in the literature: 
that £UF{T?) (see, e.g., [I3l[2l]) and AX^^ff [9] admit quantifier- free interpolants, and that 
AXfixt does not 



3.1 Modularity of quantifier- free interpolation 

Given the importance of combining theories in SMT solving, the next step is to establish 
whether sub-amalgamation is a modular property. Unfortunately, this is not the case since the 
combination of two theories having quantifier-free interpolation may not have quantifier-free 
interpolation. For example, the union of the theory SUJ^(Y,) and Presburger arithmetic does 
not have quantifier-free interpolation [5]. Fortunately, strong sub-amalgamation is modular 
when combining stably infinite theories. 

Theorem 3.3. Let Ti and T2 be two stably infinite theories over disjoint signatures Si and 
S2. If both Ti and T2 have the strong sub- amalgamation property, then so does Ti UT2. 



Theorems 13.21 and 13.31 obviously imply that strong sub-amalgamation is sufficient for the 
modularity of quantifier-free interpolation for stable infinite theories. 

Corollary 3.4. Let Ti and T2 he two stably infinite theories over disjoint signatures Si 
and S2. If both Ti and T2 have the strong sub- amalgamation property, then T\ U T2 admits 
quantifier-free interpolation. 

We can also show that strong sub-amalgamation is necessary as explained by the following 
result. 

Theorem 3.5. Let T he a theory admitting quantifier- free interpolation and T, he a signature 
disjoint from the signature of T containing at least a unary predicate symbol. Then, T U 
£UJ-'{T,) has quantifier-free interpolation iff T has the strong sub-amalgamation property. 

Although Corollary 13.41 is already useful to establish whether combinations of theories 
admit quantifier-free interpolants, proving the strong sub-amalgamability property can be 
complex. In the next section, we study an alternative ("syntactic") characterization of strong 
sub-amalgamability that can be more easily applied to commonly used theories. 

4 Equality interpolation and strong amalgamation 

There is a tight relationship between the strong sub-amalgamation property of a theory T 
and the fact that disjunctions of equalities among variables are entailed by T. To state this 
precisely, we need to introduce some preliminary notions. Given two finite tuples t = ti,...,tn 
and v = vi,...,Vm of terms, 

n m 

the notation tr\y_^% stands for the formula y y {ti = Vj). 

i=ij=i 

We use tit2 to denote the juxtaposition of the two tuples t^ and t2 of terms. So, for example, 
^1*2 n V 7^ is equivalent to fe H u / 0) V (ig n u 7^ 0). 

Definition 4.1. A theory T is equality interpolating iff it has the quantifier- free interpolation 
property and satisfies the following condition: 

• for every quintuple x,y,,Zi,y ,Z2 of tuples of variables and pair of quantifier- free for- 
mulae Si{x,Zi,y) and S2{x,Z2,y„) such that 

h{x,z^,y^) AS2{x,Z2,y^) ^Ty^ny^^$ (1) 

there exists a tuple v{x) of terms such that 

h{x,z^,y^) /\h{x,z2,y_^) ^TV^y^nv^^ . (2) 



We are now in the position to formally state the equivalence between strong sub-amalgamation 
and equality interpolating property. 

Theorem 4.2. A theory T has the strong suh- amalgamation property iff it is equality inter- 
polating. 

4.1 Equality interpolation at work 

We now illustrate some interesting applications of Theorem l4.2l so that, by using Corollary 13. 4| 
we can establish when combinations of theories admit quantifier-free interpolation. To ease 
the application of Theorem 14.21 we first study the relationship between quantifier-elimination 
and equality interpolation for universal theories. 

Theorem 4.3. A universal theory admitting quantifier elimination is equality interpolating. 

Interestingly, the proof of this theorem (see Appendix IB. 2p is constructive and shows how 
an available quantifier elimination algorithm (for a universal theory) can be used to find the 
terms v satisfying condition ([2]) of Definition \4-l[ this is key to the combined interpolation 
algorithm presented in Section [5] below. 

Examples. The theory TZDS of recursive data structures [27] consists of two unary function 
symbols car and cdr and a binary function symbol cons, and it is axiomatized by the following 
infinite set of sentences: 

\/x,y.car{cons{x,y)) = X, \/ x,y. cdr {cons {x, y)) = y, (CCC) 

\/x,y.cons{car{x),cdr{x)) = x, \/x.x / t{x) 

where i is a term obtained by finitely many applications of car and cdr to the variable x (e.g., 
car{x) 7^ x, cdr{cdr[x)) ^ x, cdr{car{x)) ^ x, and so on). Clearly, TZT>S is universal; the 
fact that it admits elimination of quantifiers is known since an old work by Mal'cev |17j . 

Following [12], we define the theory TVC of integer difference logic to be the theory 
whose signature contains the constant symbol 0, the unary function symbols succ and pred, 
and the binary predicate symbol <, and which is axiomatized by adding to the irreflexivity, 
transitivity and linearity axioms for < the following set of sentences: 

\/x.succ{pred{x)) = x, \/x.pred{succ{x)) = x, 

Vx, y.x < succ{y) ^ {x < yV x = y), Vx, y.pred{x) < y o (x < y V x = y). 

XDC is universal and the fact that admits elimination of quantifiers can be shown by adapting 
the procedure for a similar theory of natural numbers with successor and ordering in J12j . The 
key observation is that the atoms of XT)C are equivalent to formulae of the form i ix] f^{j) 



(for 77, € Z, to G {=, <}) where i,j are variables or the constant 0, /°(j) is j, f^{j) abbreviates 
succ{succ^~^ (j)) when k > or pred{pred^~^{j)) when k < 0. (Usuahy, i ixi /"(j) is written 
as 7 — j ixi 77 or as 7 CXI j + 77 from which the name of "integer difference logic") 

The theory CAI of Linear Arithmetic over the Integers contains the binary predicate 
symbol <, the constant symbols and 1, the unary function symbol — , the binary function 
symbol + and the unary function symbols d77;[77] (integer division by 77, for 77 > 1). As 
axioms, we take a set of sentences such that all true sentences in the standard model of the 
integers can be derived. This can be achieved for instance by adding to the axioms for totally 
ordered Abelian groups the following sentences (below x rem[n] abbreviates x — n{x div[n]), 
moreover kt denotes the sum t + ■ ■ ■ + t having k addends all equal to the term t and k stands 
for kl): 

< 1, V7/.-i(0 < y A 7/ < 1), and Vx.x rem[n] = V • • • V x re7n[77] = 77 — 1 . 

CAI can be seen as a variant of Presburger Arithmetic obtained by adding the functions 
div[n] instead of the 'congruence modulo n' relations (for 77 = 1,2, 3,...), which are needed to 
have quantifier elimination (see, e.g., [12] )• For the application of Theorem 14.31 the problem 
with adding the 'congruence modulo 77' is that the resulting theory is not universal. Instead, 
CAI is universal and the fact that admits elimination of quantifiers can be derived by adapt- 
ing existing quantifier-elimination procedures (e.g., the one in [12] ) and observing that x is 
congruent to y modulo 77 can be defined as x rem[n] = y rem[n] (more details can be found 



in Appendix IC.ip . 

By Theorem 14.31 TZVS, ZVC, and CAI are equality interpolating. The theory UTWZ 
of Unit-Two- Variable- Per-Inequality (see, e.g., |llj ) is also equality interpolating (for lack of 
space, this is shown in Appendix IC.2p . 

4.2 A comparison with the notion of equality interpolation in | |32] 

We now show that the notion of equality interpolating theories proposed here reduces to that 
of |32] when considering convex theories. 

Proposition 4.4. A convex theory T having quantifier- free interpolation is equality inter- 
polating iff for every pair 7/1,7/2 of variables and for every pair of conjunctions of literals 
<^i(^):2i) yi)) ^2(31, :22, 2/2) such that 

^i{x,zi,yi) A62{x,Z2,y2) ^t Vi = ?/2 (3) 

there exists a term v{x) such that 

(^1(^,11,^1) ^S2{x,Z2,y2) ^Tyi=v Ay2 = v. (4) 

10 



The implication (l3|) => (j3|) is exactly the definition of equality interpolation in |32| . In the 
following, a convex quantifier-free interpolating theory satisfying ([3]) ^ dU will be called YMc 
equality interpolating. By Proposition 14.41 an YMc equality interpolating (convex) theory is 
also equality interpolating according to Definition 14. li For example, the theory CST of list 
structures [26] contains the function symbols of TZVS, a unary predicate symbol atom, and 
it is axiomatized by the axioms of TZT>S labelled [CCC) and the sentences: 

yx,y.^atom{cons{x,y)), \/x.^ato'm{x) — > cons {car {x),cdr{x)) = x. 

CST is a (universal) convex theory [26] that was shown to be YMc equality interpolating 
in [32]. By Proposition 14. 4^ we conclude that CST is equality interpolating in the sense 
of Definition 14.11 In [32], also Linear Arithmetic over the Reals (CATZ) is shown to be 
YMc equality interpolating (the convexity of CATZ is well-known from linear algebra). By 
Proposition 14.41 CATZ is equality interpolating in the sense of Definition 14. II The same result 
can be obtained from Theorem 14.31 above by identifying a set of universal axioms for the 
theory and showing that they admit quantifier elimination. For the axioms to be universal, 
it is essential to include multiplication by rational coefficients in the signature of the theory, 
i.e. the unary function symbols q* - for every g G Q. If this is not the case, the theory is not 
sub-amalgamable and thus not equality interpolating: to see this, consider the embedding 
of the substructure Z into two copies of the reals. A direct counterexample to ([3]) => dH 
of Proposition 14.41 can be obtained by taking 6i{x,yi) = yi + yi = x for i = 1,2 so that 
v{x) = ^ * X in (HI) and the function symbol ^ * _ is required. 

For non-convex theories, the notion of equality interpolation in this paper is strictly more 
general than the one proposed in the extended version of [32] . Such a notion, to be called YM 
equality interpolating below, requires quantifier-free interpolation and the following condition: 
— for every tuples x, z^, z_2 of variables, further tuples y = yn, . . . , yi„, y = y2i, . . . , y2n of 
variables, and pairs Si{x,Zi,y),52{x,Z2,y) of conjunctions of literals. 



ii6i{x,z^,y^) AS2{x,Z2,y^) H^ \/ {yu = 2/2i) holds, 

1=1 

then there exists a tuple v{x) = vi, . . . ,Vn of terms such that 

n 

Si{x,z^,y-^) /\S2{x,Z2,y^) hr \/ {yu =ViAvi = y2i). 

We show that the notion of YM equality interpolation implies that of equality interpolation 
proposed in this paper. Indeed, if a convex theory is YMc equality interpolating, then it is 
also YM equality interpolating. Since £UJ-'{Ti) is convex and YMc equality interpolating (as 
shown in [32]), it is YM equality interpolating. By Theorems l3.5l and l4.2l (and the combination 

11 



result of [32]), if a theory T is YM equality interpolating, it is also equality interpolating in 
the sense of Definition 14. li The converse does not hold, i.e. our notion is strictly weaker than 
YM equality interpolation. To prove this, we define a (non-convex) theory T^ex that has the 
strong sub-amalgamation property but is not YM equality interpolating. Let the signature 
of Tcex contain three propositional letters pi,P2 and p^, three constant symbols ci,C2, and 
C3, and a unary predicate Q. Tcex is axiomatized by the following sentences: exactly one 
among pi,p2 and pa holds, ci, C2, and C3 are distinct, Q{x) holds for no more than one x, and 
Pi -^ Q{ci) for i = 1,2, 3. It is easy to see that Tcex is stably infinite and has the strong sub- 
amalgamation property (Tcex is non-convex since Q{x)Ayi = ci Ay2 = C2 Ays = C3 implies the 
disjunction 2; = yi V x = 2/2 V x = 7/3 without implying any single disjunct). Now, notice that 
Q{x)AQ{y) \~Tcex ^ — y- According to the definition of the YM equality interpolating property 
(see above), there should be a single ground term v such that Q{x) /\Q{y) \~Tcex ^ — vAy = v. 
This cannot be the case since we must choose among one of the three constants ci, C2, C3 to 
find such a term v and none of these choices fits our purposes. Hence, Teex is not YM equality 
interpolating although it has the strong sub- amalgamation property and hence it is equality 
interpolating according to Definition 14.11 

To conclude the comparison with [32], since the notion of equality interpolation of this 
paper is strictly weaker than that of YM equality interpolation, the scope of applicability 
of our result about the modularity of theories admitting quantifier-free interpolation (i.e. 
Corollary 13.41 above) is broader than the one in the extended version of 



5 An interpolation algorithm for combinations of theories 

Although the notion of equality interpolation toghether with Corollary 13.41 allow us to es- 
tablish the quantifier-free interpolation for all those theories obtained by combining a theory 
axiomatizing a container data structure (such as SUJ-, TZT>S, CST, or ^^diff) with rele- 
vant fragments of Arithmetics (such as CAIZ, XDL, UTVPX, or CAX), just knowing that 
quantifier- free interpolants exist may not be sufficient. It would be desirable to compute 
interpolants for combinations of theories by modularly reusing the available interpolation 
algorithms for the component theories. This is the subject of this section. 

To simplify the technical development, we work with ground formulae over signatures 
expanded with free constants instead of quantifier free formulae as done in the previous 
sections. We use the letters A,B,... to denote finite sets of ground formulae; the logical 
reading of a set of formulae is the conjunction of its elements. For a signature S and set A of 
formulae, S denotes the signature S expanded with the free constants occurring in A. Let 
A and B be two finite sets of ground formulae in the signatures S and T,^ , respectively, and 
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TP := S n T,^ . Given a term, a literal, or a formula tp we call it: 

• AB'Common iff it is defined over S ; 

• A-local (resp. B -local) if it is defined over E (resp. S ); 

• A-strict (resp. B-strict) iff it is A-local (resp. i?-local) but not j4i?-common; 

• AB -mixed if it contains symbols in both (S \ T,'~") and (T,^ \ S*^); 



• 



AB-pure if it does not contain symbols in both (S \ S ) and (S \ S ). 



(Sometimes in the literature about interpolation, "A-local" and "i3-local" are used to denote 
what we call here "A-strict" and "i?-strict" ) . 

5.1 Interpolating metarules 

Our combined interpolation method is based on the abstract framework introduced in [9] (to 
which, the interested reader is pointed for more details) and used also in [8] that is based on 
'metarules.' A metarule applies (bottom-up) to a pair A, B of finite sets of ground formulaqj 
producing an equisatisfiable pair of sets of formulae. Each metarule comes with a proviso for 
its applicability and an instruction for the computation of the interpolant. As an example, 
consider the metarule (DefineO): 

AU {a = t} I B U {a = t} Proviso: t is AS-common, a is fresh 



A I B Instruction: <j)' = (f){t/a). 

It is not difficult to see that the A U -B is equisatisfiable to A U i? U {a = t} since a is a 
fresh variable that has been introduced to re-name the Ai?-common term t according to the 
proviso of (DefineO) . The instruction attached to (DefineO) allows for the computation of the 
interpolant (j)' by eliminating the fresh constant a from the recursively known interpolant (p. 
The idea is to build an interpolating metarules refutation for a given unsatisfiable Aq\JBq, i.e. 
a labeled tree having the following properties: (i) nodes are labeled by pairs of finite sets of 
ground formulae; (ii) the root is labeled by Aq, -Boi (hi) the leaves are labeled by a pair A, B 
such that _L G AUi?; (iv) each non-leaf node is the conclusion of a metarule and its successors 
are the premises of that metarule (the complete list of metarules is in Appendix \^ . Once 
an interpolating metarules refutation has been built, it is possible to recursively compute the 
interpolant by using (top-down) the instructions attached to the metarules in the tree: 



^In [8l|9], metarules manipulate pairs of finite sets of literals instead of ground formulae; the difference is 
immaterial. 
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Proposition 5.1 ([9]). If there exists an interpolating metarules refutation for Aq,Bq then 
there is a quantifier-free interpolant for Aq, Bq (i.e., there exists a quantifier- free AB- common 
sentence (p such that Aq \- (j) and Bq A <j) \- -L). The interpolant (p is recursively computed by 
applying the relevant interpolating instructions of the metarules. 

The idea to design the combination algorithm is the following. We design transforma- 
tions instructions that can be non-deterministically applied to a pair Aq,Bq. Each of the 
transformation instructions is justified by metarules, in the sense that it is just a special 
sequence of applications of metarules. The instructions are such that, whenever they are 
applied exhaustively to a pair such that Aq U Bq is unsatisfiable, they produce a tree which is 
an interpolating metarules refutation for Aq,Bq from which an interpolant can be extracted 
according to Proposition 15.11 

5.2 A quantifier- free interpolating algorithm 

Let Ti be a stably-infinite and equality interpolating theory over the signature Sj such that 
the SMT{Ti) problem is decidable and Si n S2 = (for i = 1, 2). We assume the availability 
of algorithms for Ti and T2 that are able not only to compute quantifier-free interpolants but 
also the tuples v of terms in Definition 14.11 for equality interpolation. Since the SMT(Ti) 
problem is decidable for i = 1,2, it is always possible to build an equality interpolating 
algorithm by enumeration; in practice, better algorithms can be designed (see [32] for SUJ-, 
CST, CAIZ and Appendix|B]for the possibility to use quantifier elimination to this aim). 

Let S := Si U S2, T := Ti U T2, and Aq,Bq be a T-unsatisfiable pair of finite sets of 
ground formulae over the signature S f'-^-^". Like in the Nelson-Oppen combination method, 
we have a pre-processing step in which we purify Aq and Bq so as to eliminate from them the 
literals which are neither Si- nor S2-literals. To do this, it is sufficient to repeatedly apply 
the technique of "renaming terms by constants" described below. Take a term t (occurring 
in a literal from Aq or from Bq), add the equality a = t for a fresh constant a and replace 
all the occurrences of t by a. The transformation can be justified by the following sequence 
of metarules: Definel, Define2, Redplusl, Redplus2, Redminusl, Redminus2. For example, 
in the case of the renaming of some term t in Aq, the metarule Definel is used to add the 
explicit definition a = t to Aq, the metarule Redplusl to add the formula (t){a/t) for each 
(f) ^ Aq, and the metarule Redminusl to remove from ^0 all the formula (p in which t occurs 
(except a = t). 

Because of purification, from now on, we assume to manipulate pairs A, B of sets of ground 
formulcB where literals built up of only Si- or of only T,2-symbols occur (besides free constants): 
this invariant will be in fact maintained during the execution of our algorithm. Given such a 
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pair A, B, we denote by Ai and A2 the subsets of S^- and Sg -formulae belonging to A; the 
sub-sets Bi and B2 of B are defined similarly. Notice that it is false that A = AiU A2 and 
B = BiL) B2, since quantifier- free formulae can mix Si- and S2-symbols even if the literals 
they are built from do not. 

Before presenting our interpolation algorithm for the combination of theories, we need to 
import a technique, called Term Sharing, from [9]. Suppose that A contains a literal a = t, 
where the term t is AS-common and the free constant a is A-strict (a symmetric technique 
applies to B istead of A). Then it is possible to "make a ^i?-common" in the following 
way. First, introduce a fresh AS-common constant c with the explicit definition c = t (to be 
inserted both in A and in B, as justified by metarule (DefineO)); then replace the literal a = t 
by a = c and replace a by c everywhere else in A; finally, delete a = c too. The result is a 
pair (A, B) where basically nothing has changed but a has been renamed to an 74i?-common 
constant c (the transformation can be easily justified by a suitable subset of the metarules). 

An A-relevant atom is either an atomic formula occurring in A or it is an yl-local equality 
between free constants; an A-assignment is a Boolean assignment a to relevant A-atoms 
satisfying A, seen as a set of propositional formute (relevant S-atoms and S-assignements 
are defined similarly). Below, we use the notation a to denote both the assignement a and 
the set of literals {L \ a{L) = true}. 

We are now in the position to present the collection of transformations that should be 
applied non-deterministically and exhaustively to a pair of purified sets of ground formute (all 
the transformations below can be justified by metarules, the justification is straightforward 
and left to the reader). In the following, let i G {1, 2} and X G {A, B}. 

Terminatej: if Ai U Bi is Tj-unsatisfiable and _L ^ AU B, use the interpolation algorithm 
for Ti to find a ground ^S-common 6 such that Ai hj^- 9 and 6 A Bi hy- _L; then add 9 
and _L to B. 

Decide^: if there is no X-assignment a such that a C X, pick one of them (if there are 
none, add _L to X); then update X to X U a. 

Share j: let a = ai,...,a„ be the tuple of the current A-strict free constants and b = 
bi, . . . ,bm be the tuple of the current i?-strict free constants. Suppose that Ai U Bi 
is Tj-satisfiable, but Ai U Bi L) {a Ci b = 0} is Tj-unsatisfiable. Since Tj is equality 
interpolating, there must exist yli?-common Sj-ground terms v = vi,...,Vp such that 

AiUBihx, (a n u / 0) V (6 n w / 0). 

Thus the union of A/ U {o n w = 0} and oi Bi U {bCi v = 0} is not Tj-satisfiable and 
invoking the available interpolation algorithm for Ti, we can compute a ground AB- 
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common Sj-formula 9 such that A I-t- ^ V a n w 7^ and 9 AB h-p. 6 PI v ^ 0. We choose 
among n*p + m*p alternatives in order to non-deterministically update A, B. For the 
first n*p alternatives, we add some Oj = Vj (for 1 < i < n, 1 < j < p) to A. For the last 
m*p alternatives, we add 9 to A and some {9, hi = Vj} to B (for 1 <i <m,l < j <p). 
Term sharing is finally applied to the updated pair in order to decrease the number of 
the ^-strict or i?-strict free constants. 

Let CI(Ti,r2) be the procedure that, once run on an unsatifiable pair Aq,Bq, first purifies 
it, then non-deterministically and exhaustively applies the transformation rules above, and 
finally extracts an interpolant by using the instructions associated to the metarules. 

Theorem 5.2. LetTi andT2 be two signature disjoint, stably-infinite, and equality interpolat- 
ing theories having decidable SMT problems. Then, CI(Ti,T2) is a quantifier-free interpolation 
algorithm for the combined theory Ti L)T2. 

Algorithm CI(Ti,T2) paves the way to reuse quantifier-free interpolation algorithms for 
both conjunctions (see, e.g., [29]) or arbitrary Boolean combinations of literals (see, e.g., |11|). 
In particular, the capability of reusing interpolation algorithms that can efficiently handle 
the Boolean structure of formulae seems to be key to enlarge the scope of applicability of 
verification methods based on interpolants [23]. Indeed, one major issue to address to make 
CI(Ti,T2) practically usable is to eliminate the non-determinism. We believe this is possible 
by adapting the Delayed Theory Combination approach [3]. 

6 Conclusion and Related Work 

The results of this paper cover several results for the quantifier-free interpolation of combi- 
nations of theories that are known from the literature, e.g., SUJ- and CST [32], SUJ-' and 
CATZ [IIl[25l[29], £UT and CAI [6], CST with CATZ [32], and AXani with IVC [8]. To 
the best of our knowledge, the quantifier-free interpolation of the following combinations are 
new: (a) TIVS with CATZ, IV C, UTVVl, CAI, and AXaih, (b) CST with IV C, UTVVX, 
CAT, and AX Am, and (c) AX^^ with CAR, UTVVX, and CAI. 

In Section 14. 2| we have extensively discussed the closely related work of [32] , where the 
authors illustrate a method to derive interpolants in a Nelson-Oppen combination procedure, 
provided that the component theories satisfy certain hypotheses. The work in [2, among 
other contributions, recasts the method of |32j in the context of the DPLL{T) paradigm. 
An alternative combination method is in [1^ that has been designed to be efficiently in- 
corporated in state-of-the-art SMT solvers but is complete only for convex theories. An 
interpolating theorem prover is described in [25], where a sequent-like calculus is used to 
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derive interpolants from proofs in propositional logic, equality with uninterpreted functions, 
linear rational arithmetic, and their combinations. The "split" prover in [T2] applies a se- 
quent calculus for the synthesis of interpolants along the lines of that in [25] and is tuned 
for predicate abstraction. The "split" prover can handle combinations of theories involving 
that of arrays without extensionality and fragments of Linear Arithmetic. The CSISAT [2] 
permits the computation of quantifier-free interpolants over a combination of 81AF and CATZ 
refining the combination method in [32] • A version of MathSAT [TI] features interpolation 
capabilities for £UT, CATZ, IVC, UTVPI and £UT + CATZ by extending Delayed Theory 
Combination [1] . Theorem 15.21 is the key to combine the strength of these tools and to widen 
the scope of applicability of available interpolation algorithms to richer combinations of theo- 
ries. Methods [6tl20 1 [22 | l23] for the computation of quantified interpolants in the combination 
of the theory of arrays and Presburger Arithmetic have been proposed. Our work focus on 
quantifier- free interpolants by identifying suitable variants of the component theories (e.g., 
AX^iff instead of AXcinX, and CAI instead of Presburger Arithmetic). Orthogonal to our 
approach is the work in [3D] where interpolation algorithm are developed for extensions of 
convex theories admitting quantifier-free interpolation. 

The framework proposed in this paper allows us to give a uniform and coherent view of 
many results available in the literature and we hope that it will be the starting point for new 
develop ements. 
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A List of Metarules 



Closel 


Close2 


Propagatel 


Propagate2 




Pro 

Inst 




A\Byj{ip} 
A 1 B 

Prov.: A h V' and 

Ip is Ai?-coininon. 
Instr.: ()>' = ()> A ip . 


AU{^} 1 B 
A 1 B 

Prov.: B \- ip and 

ip is AB-conimon. 
Instr.: <f>' = 4' ^ 4>- 


A 1 B 

Prov.: A is unsat. 
Instr.: 4>' = A.. 


A 1 B 

v.: B is unsat. 

r.: 0' = T. 


DefineO 


Define 1 


Define2 


AU{a = t} 1 BU{a = t} 
A 1 B 

Prov.: t is AB-common, a fresh. 
Instr.: 4>' = 4>(t/a). 


AU{a = t} \ B 
A 1 B 

Prov.: t is A-local and a is fresh. 
Instr.: 0' = <f>. 


A\ BU{a = t} 
A 1 B 

Prov.: t is i3-local and a is fresh. 
Instr.: <j>' = <f>. 


Disjunction! 


Disjunction2 


■■■ Ayj{^k}\B ••• 


■ ■ ■ A\Byj {Vfc} ■ ■ ■ 


A 1 B 

Prov.: Vfc=i i'k is A-local and . 
Instr.: cj,' = \ll^^4,k. 


^^\/"k=l^k- 


A 1 B 

Prov.: Vfc=i V-fc is B-local and B h Vfc=i "ipk- 
Instr.: 0' = Afc=i<^fc- 


Redplusl 


Redplus2 


Redminusl 


Redminus2 


AU{'4)}\B 
A 1 B 

Prov.: A F ■(/) and 

^ is A-local. 
Instr.: 4>' = 4>. 


Proi 
Instr 


A\BU{i;} 
A 1 B 

.: B \- ip and 

i/j is B-local. 
.: if,' = (j>. 


A 1 B 


A 1 B 


AU{^} 1 B 

Prov.: Ah tp and 

V' is A-local. 
Instr.: 4>' = </>■ 


A\BU{^} 

Prov.: B h Ip and 

7/j is i?-local. 
Instr.: 4>' = 0- 


ConstEliml 


ConstElim2 


ConstElimO 


A 1 B 


i,t. 


A 1 B 


A 1 B 


A{J{a = t} \ B 

Prov.: a is A-strict and 

does not occur in J 
Instr.: <t>' = <f>. 


A\BVj{b = t] 

Prov.: b is i?-strict and 

does not occur in B, t. 

Instr.: cji' = (j>. 


AU{c = t} \ B[J{c = t} 

Prov.: c, t are AB-common, 

c does not occur in A, B, t. 

Instr.: 4>' = <f>. 



Table 1: Interpolating Metarules: each rule has a proviso Prov. and an instruction Instr. for recursively 
computing the new interpolant 0' from the old one(s) 4>,4>i, . . . ,(f>k. Metarules are applied bottom-up and 
interpolants are computed top-down. 
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B Proofs 

We give here all the proofs not included in the text. 

B.l Proofs for Section [3] 

Lemma B.l. Let T be a theory in a signature S and let a,b,c be tuples of (distinct) free 
constants; let also Gi,G2 be sets of ground formulae having the following properties: 

- in 01 at most the free constants a,c occur; 

- in ©2 at most the free constants b, c occur; 

- there is no ground formula 6{c) such that ©i h^ 0{c) and ©2 I~t ~'^(c)- 

Then there are models A^i,7W2 of T such that Mi \= ©1, M2 \= ©2 o-iT-d such that the 
intersection of the supports of Mi and M2 is precisely the substructure generated by the 
interpretation of the constants c. 

Proof. Let us call S the signature S expanded with the free constants a U c and S the 
signature S expanded with the free constants ^ U c (we put S := S n S = S U {c}). As 
a first step, we build a maximal T-consistent set F of ground S -formulae and a maximal 
T-consistent set A of ground S^-formulae such that ©i C P, ©2 C A, and LnS'^ = AnS'^jfl 
For simplicitjQ let us assume that S is at most countable, so that we can fix two enumerations 

of ground S - and S-^-formulae, respectively. We build inductively F„, A„ such that for every 
n (i) F„ contains either (/>„ or -^(j)n] (ii) A„ contains either ^„ or -^ipn] (iii) there is no ground 
S -formula 9 such that F„ U {-^6} and A„ U {0} are not T-consistent. Once this is done, we 
can get our F, A as F = |J F„ and A = IJ A„. 

We let Fq be ©1 and Aq be ©2 (notice that (iii) holds by assumption). To build F„+i we 
have two possibilities, namely F„ U {</'n} and F„ U {-!(/>.„}. Suppose they are both unsuitable 
because there are 61^62 S S*"^ such that the sets 

F„U{(^„,-0i}, A„U{^i}, F„U {-</.„, -02 }, A„U{02} 

are all T-inconsistent. If we put 9 = OiV 92, we get that F^ U {^9} and A„ U {9} are not 
T-consistent, contrary to induction hypothesis. A similar argument shows that we can also 
build An- 



^ By abuse, we use E to indicate not only the signature S but also the set of formulae in the signature 
* This is just to avoid a (straightforward indeed) transfinite induction argument. 
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Let now Mi be a model of T and A^2 be a model of A. Consider the substructures Ai,A2 
of M.i,M.2 generated by the interpretations of the constants from TP: since they satisfy the 
same literals from S (because mS = AnS ), we have that Ai and A2 are S -isomorphic. 
Up to renaming, we can suppose that Ai and A2 are just the same substructure. D 

Theorem 13.21 A theory T admits quantifier- free interpolants iff T has the sub- amalgamation 
property. 

Proof. Suppose first that T has suh-amalgamation; let (p., tp be quantifier-free formulae such 
that (/) A "0 is not T-satisfiable. Let us replace variables with free constants in (p, ip; let us 
call S the signature S expanded with the free constants from p and S^ the signature S 
expanded with the free constants from tp (we put S := S n S ). For reductio, suppose 
that there is no ground formula 9 such that: (a) p T-entails 0; (b) 6 A ip is T-unsatisfiable; 
(c) only free constants from S occur in 9. By Lemma IB. 11 taking ©i := {0},©2 := {i^}, 
we know that there are models Mi,M2 of T such that Mi \= p>, M2 \= ip and such that the 
intersection of the supports of A^i and M2 is precisely the substructure generated by the 
interpretation of the constants from S (let us we call this substructure A for short). By the 
sub-amalgamation property, there is a T-amalgam M of Mi and M2 over A. Now p>,^p are 
ground formulae true in Mi and M2, respectively, hence they are both true in M, which is 
impossible because p f\ip was assumed to be T-inconsistent. 

Suppose now that T has quantifier-free interpolants. Take two models Mi and M2 of T 
sharing a substructure A] we can freely suppose (up to a renaming) that \Mi\ n \M2\ = |^| 
(we use the notation | — | to indicated the support of a structure). In order to show that a 
T-amalgam of Mi.,M2 over A exists, it is sufficient (by Robinson Diagram Lemma [10]) to 
show that /S.Y,{Mi) U A2(A^2) is T-consistent, where (for i = 1, 2) /S.Y,{Mi) is the diagram of 
Mi, namely the set of S U |A4j|-literals true in Mi. 

li /S.Y,{Mi)yj IS.Y,{M2) is not T-consistent, by the compactness theorem of first order logic, 
there exist a SU |A1i | -ground sentence p and a SU |A^2|-ground sentence ip such that (i) (pAip 
is T-inconsistent; (ii) (/> is a conjunction of literals from As(A4i); (iii) -0 is a conjunction of 
literals from As(A42). By the existence of quantifier-free interpolants, taking free constants 
instead of variables, we get that there exists a ground S U |^|-sentence 6 such that cp T-entails 
and ijj f\9 \s T-inconsistent. The former fact yields that 6 is true in A^i and hence also in 
A and in M2, because 6 is ground. However, the fact that 9 is true in M2 contradicts the 
fact that ip /\9 \s T-inconsistent. D 



The following Lemma is part of the well-known Nelson-Oppen combination results |31j . 
[26]: 
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Lemma B.2. Suppose that Ti, T2 are two stably infinite theories in disjoint signatures Si, S2 
and let C be a set of free constants not belonging to Si U S2; let T be a partition of C, i.e. a 
set of ground equalities or inequalities containing the literal ci = C2 or the literal ci ^ C2, for 
all pairs of different constants from C. For i = 1,2, let Qi be a Ti-consistent set of ground 
Sj U C -formulae containing T. Then 0i U 02 is Ti U T2- consistent. 

Proof. Let A^i, ^^2 be two models of Ti U 6i,r2 U ©2, respectively. By stable infiniteness 
and upward Lovenheim-Skolem theorem [10], we can assume that they are both infinite and 
have the same cardinality (bigger than the cardinality of C). Thus there is a bijection / 
among their supports and (as equalities of constants from C are interpreted in the same way 
in Ml and A^2) we can assume that f{c-^^) = c^"^ . Using this bijection, it is easy to lift the 
interpretation of the S2-symbols from the support of M.2 to the support of Mi. The lifted 
model is S2 U C-isomorphic to M2, thus it is a model of Ti U r2 U 0i U 02- □ 

Theorem 13.31 Let Ti,T2 be two stably infinite theories in disjoint signatures Si,S2. IfTi,T2 
both have the strong sub-amalgamation property, then so does Ti U T2. 

Proof. Consider two models Mi,M2 of Ti U T2 together with a common substructure A; 
we can freely suppose (up to a renaming) that \Mi\ \M2\ = \A\. By Robinson Diagram 
Lemma [10], it is sufficient to show the consistency of Ti U T2 U Fi U r2, where Fj (i = 1, 2) 
is defined as 

Fi = As^{Mi)uA^,{M2)U{mij^m2\mie\Mi\\\A\, m2e\M2\\\A\} . 

By compactness, it is enough to show the Ti U T2-consistency of the subset Ti U r2 U F^ U Fg 
of Ti U r2 U Fi U F2 mentioning just a finite set C of free constants from \Mi\ U |Al2|- 
By the strong amalgamability of Ti and T2, we know that Ti U F^ and T2 U Fg are both 
consistent. Now notice that for every pair ci,C2 of distinct constants from C, the set Fj 
(hence also the set F?) contains the negative literal ci ^ C2: in fact, this inequation is part 
of the definition of the diagram of a structure or (in case ci,C2 are from different supports) 
it has been added explicitly when building Fi,F2. According to Lemma lB.2| this is sufficient 
to infer the consistency of Ti U T2 U F^ U Fg, as Ti,T2 are stably infinite. D 

Theorem l3.5l Let T be a theory admitting quantifier-free interpolation and let Ti be a signature 
disjoint from the signature of T and containing at least a unary predicate symbol. Then 
Tyj£UJ-(Ti) has quantifier- free interpolation ifJT has the strong sub-amalgamation property. 

Proof. (Below T,t is the signature of T). Let T be strongly amalgamable and let Mi,M2 be 
two models of Tu£'Z//J^(S) sharing a submodel TWo (as usual, we suppose that |A^i|n|7W2| = 
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|A^o|)- To amalgamate them, consider first a model Ai oi T strongly amalgamating the Sy- 
reducts of Ali, A^2 over the S^-reduct of A^o- Since the amalgam is strong, up to isomorphism 
we can consider the support of A^ as a superset of |7Wi| U \J^2\'i thus it is easy to expand M 
to a total structure interpreting the symbols of S. The expansion is a model of T U £UJ-{Ti) 
amalgamating TWi and A^2 over Mq. 

Conversely, suppose that T does not have the sub-amalgamation property. Let Aii,M2 
be models of Ti and let ^ be a substructure of them such that there are no data A4,i^ii,fj,2 
satisfying the conditions for the strong sub-amalgamability property. This means that the set 

r = Asi(A^i) U Asi(A^2) U {mi / ma | mi G |A^i| \ \A\, m2 G \M2\ \ \A\} 

is not T-consistent. By compactness, there are 'm\,...m^ € |A^i| \ |^| and m\,...m2 € 
\M2\ \ \A\ such that 

k 

TuAj:,{Mi)uAj,,{M2)h\/rn{ = mi . (5) 

i=i 

Expand now A4i, A^2 to SyUS-structures as follows: the S-symbols are interpreted arbitrarily 

(but in such a way that A remains a substructure of the expansions) apart from the unary 

predicate P, which is interpreted as the whole support of A^i in the expansion of yVli and as 

the support of A in the expansion of 7^2- From ([5]), it is then clear that sub-amalgamation 

(hence quantifier-free interpolation) fails for Ti U T2: in fact, any A4 \= T amalgamating 

A4i,M^2 over A, must identify some m-i € \Mi\ \ \A\ with some m2 € |A^2| \ l-^l, which is 

impossible as the interpretation of P in 7W must agree with the interpretations of P in the 

expansions of A4i and A^2- D 

B.2 Proofs for Section [4] 

Theorem [32] shows the equivalence between strong amalgamability and equality interpolation; 
we add one equivalent characterization more in the statement below: 

Theorem 14.21 The following conditions are equivalent for a theory T having quantifier-free 
interpolation: 

(i) T is strongly suh-amalgamahle; 

(ii) T is equality interpolating; 

(iii) for every triple x,y^y of tuples of variables and for every pair of quantifier-free formulae 
^iiiILjy-,)i^2ill,y„) such that 

Si{x,y^)A62{x,y^)hTy^ny^^^ (6) 
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there is a tuple v{x) of terms such that 

h{x,y^)AS2ix,y^)hTy^y^riv^(l). (7) 

Proof. We first show (i) =^ (ii). Suppose first that T is strongly sub-amalgamable; we 
show that ([I]) => dS]) holds by contraposition. So, let us fix tuples of fresh free constants 
a, mi, n I, m 2^112 ^^d suppose that for every finite tuple u of S U {a}-ground terms, the for- 
mula 

Si{a,ni,mi) A (J2(« ,2122212) ^ {UI1IR2 n2i = 0) (8) 

is T-consistent (here S is the signature of T). We claim that the set 

{(5i(a, 77,]^, m;^), (^2 (a, 712,2212)} U {2II1I2I2 H v = 0}^^ (9) 

is T-consistent, where v varies over all possible tuples of such terms. In fact, if ([9]) were not 

consistent, by compactness, there would be tuples of S U {a}-ground terms ^i, . . . ,22fc such 

that 

k 

Si{a,ni,rni) A ^2 (a, 212,1212) A A [mirrh, ^ Hj — 0) 

i=i 
were not T-consistent. Putting y_ equal to the tuple obtained by juxtaposition v_i ■ ■ -Vj., we 
would get a v contradicting ([8|) . 

Let 01 be {Si{a,ni,rni)} U {rui nv = 0}<y and let 02 be {(^2(fl)2l2)22l2)} U {12I2 f^v = 0}v- 
Since Gi U 02 is equal to ([9]) which is T-consistent, there is no ground T, U {a}-formula 6{a) 
such that 01 \-T 0(a) and such that ©2 U {0(a)} is not T-consistent. By Lemma IB.li we 
can then produce models A^i,7W2 of T such that Ali \= ©i, A42 \= ©2 and such that the 
intersection of their supports is precisely the substructure generated by the interpretation 
of the constants a. If we now strongly amalgamate them, we get a model of T in which 
<Ji (2I1 Hi ) I2I1 ) 1 <^2(«>Il2' 2112)12211 nm2 = are all true, showing that ([1]) fails. 

The implication (ii) =^ (iii) is trivial. We prove (iii) => (i). Suppose that we have ([6]) =^ ([7]) 
and let us prove strong sub-amalgamability. If the latter property fails, by Robinson Diagram 
Lemma, there are models A^i, A^2 of T together with a shared substructure A such that the 
set of sentences 

r = As(A^i) U A^(M2) U {mi / m2 | mi G |7Wi| \ 1^|, ma G \M2\ \ \A\} 

is not T-consistent. By compactness, the sentence 

6i(a,mi) A ^2(2112212) ~^ Uki n 1212 7^ 
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is T-valid, for some tuples a C |^|, m^ C (|7V4i| \ \A\), m^ ^ (l-^al \ |"4|) and for some ground 
formulae ^i{aiELi)-,^2[(k-,'ni.2) true in A^i,A^2 5 respectively. By the implication ([S]) ^ (0), 
there exists a finite tuple v_{a) of S U {a}-terms such that 

h{a,mLi) A (rri]^ ^v{(L) = 0) A 62{a,m2) A {ma, ^v{a) = 0) 

is not T-consistent. Since T has quantifier-free interpolation, there is a ground formula 6{a) 
such that 

h{a,m^) ^{m]^r\v{a)=ib) ^e{a) (10) 

is T-valid and 

^2{a,m2) A (m2 r\v{a) = 0) A 6'(a) (11) 

is not T-consistent. However this is a contradiction: since m^ C \M.i\ \ \A\, the formula 
Eki '^niOi) = is true in A^i, which entails that 9{a) is true in A and in M2 too, where (jlip 
consequently holds. D 

Notice that (iii) is just the special case of (ii) arising when the tuple z is empty; this special 
case can be enough in the applications (for instance, the combined interpolation algorithm 
from Section [5] makes use of this special case only). 

We now come to the results concerning equality interpolation and quantifier elimination. 

Lemma B.3. Let T he a theory admitting quantifier elimination; T is universal iff for every 
quantifier-free formula (j){x, y), there exists tuples ti{x), . . . ,t^{x) of tuples of terms such that 

n 

Th3y^{x,y)^\/4>{x,t^{x)) . (12) 

Proof. If the condition of the Lemma is true for every (/>(x, y), one can find an equivalent 
universal set of axioms for T as follows. Notice that the right-to- left side of p2|) is a logical 
validity and the left-to-right side is equivalent to a universal formula. Thus, we can take as 
axioms for T the universal closures of the left-to-right sides of (J12p , together with the ground 
formulae which are logical consequences of T. In fact, axioms (|12p are sufficient to find for 
every sentence a ground formula T-equivalent to it. 

Conversely, suppose that T is universal and that there is (f){x, yi, . . . , ym) such that P^ 
does not hold (for all possible tuples of rra-tuples of terms). Then, by compactness, we have 
that the set of sentences 

r = {0(a,6)}U{-<^(a,t(a))}i 

is T-consistent (here S is the signature of T, a, 6 := bi, . . . ,bm are tuples of fresh constants 
and t vary on the set of m-tuples of S U {a}-terms) . Let TM be a T- model of T and let Af be the 
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substructure of M generated by the a. Since T is universal and truth of universal sentences 
is preserved under taking substructures, J\f is also a model of T and since T has quantifier- 
elimination, 3y (j){a, y) - being T-equivalent to a quantifier-free S U {a}-sentence - is true in J\[ 
too. This is a contradiction because from TV |= 3y(j){a,y) it follows that J\f \= (f>{a,t{a)) holds 
for some t, contrary to the fact that Ai ^ (f>iQi,t{a)) and to the fact that A/" is a substructure 
ofM. D 

Theorem 14.31 A universal theory admitting quantifier elimination is equality interpolating. 

Proof. We show that a universal and quantifier eliminable theory T satisfies the implication 
dSD ^ dZD- Suppose that ^ holds; by the previous Lemma, there exists tuples of terms 
^1 (^) )•••)£*; (^) such that 

k 
^y_2^2{x,^^) O \l 62{x,tjix)) (13) 

is T-valid. For every j = 1, . . . , /c, if we replace y with tj in ([6]), we get 

Si{x,y^) A 52{x,tj) Ht y^ntj / 
hence also 

k k 

h{x,y^) A y 62{x,tj) hT yiy^ntj ^ 0) . 
i=i i=i 

Taking into account (fT3]) and letting v be the tuple ti • • • t^ obtained by juxtaposition, we get 

h{x,y^) A3y^62ix,y^)hTy^r\v^9 . 

Removing the existential quantifier in the antecedent of the implication, we obtain 

h{x,y^) /\62{x,y^) hy y^ Hu 7^ 

and a fortiori d?]), as desired. D 

We point out that the obvious converse of Theorem 14.31 is not true: the theory of dense 
linear orders without endpoints has quantifier elimination, is equality interpolating (because it 
can be checked it has the strong sub-amalgamation property) , but does not admit a universal 
set of axioms (because it is not closed under substructures). 

The proof of Theorem 14.31 is important also from the applications point of view. In 
fact, in the combined interpolation algorithm designed in Section \S\ one is given formulae 
61 , 62 satisfying (^ and is asked to compute terms v{x) satisfying (Q . In case our equality 
interpolating theory is universal and has quantifier elimination, one way to do this is to run the 
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quantifier elimination algorithm over 3y 52{x, y„) and to let y_ be the tuple ti ■ • • t^ obtained 
by juxtaposition from the tuples in the right member of p3|) . 

Lemma IB.3I is also interesting in itself. According to Theorem I4.3|, a sufhcient condition 
for a theory T to be equality interpolating is to have quantifier elimination via a universal set 
of axioms. The Lemma gives the possibility of checking the existence of such a set of axioms 
just by inspecting the quantifier elimination algorithm. Sometimes, this procedure is easy. As 
an example, we can take the case of linear real arithmetic and Fourier-Motzkin algorithm. It 
is not difficult to see that Fourier-Motzkin algorithm satisfies the condition of Lemma IB. 31 in 
the sense that it always 'eliminates existential quantifiers via tuples of terms'. For instance, 
when eliminating 3x from 3x (x < yi A x < y2 A 2/3 < x) one gets 

(ti < yi A ti < 2/2 A ys < ti) V (t2 < yi A t2 < 2/2 A ys < ^2) 

where ti := ys + (yi - y^)/2 and t2 := 2/3 + (2/2 - y3)/2. 

We now show that in the convex case, our notion of an equality interpolating theory 
coincides with the one given in [32j . 

Proposition 14.41 A convex theory T having quantifier- free interpolation is equality inter- 
polating iff for every pair yi,y2 of variables and for every pair of conjunctions of literals 
^i{x,Zi,yi),62{x,Z2,y2) such that 

Si{x,z^,yi) /\S2{x,z2,y2)^Tyi=y2 dSJ 

there exists a term v{x) such that 

h{x,z^,yi) ^62{x,Z2,y2) ^Tyi = v Ay2 = v. (g]) 

Proof. If Si{x,Zi,yi) A(52(x, Z2, y2) ^t Vi = 2/2 holds and T is equality interpolating, it follows 
that there are terms v{x) := vi{x), . . . , Vnix) such that 

n n 

Si{x,z^,yi) A52(x,Z2,2/2) ^t \/{yi = Vi) V \/(y2 = Vi). (14) 

i=l i=l 

Let wi, . . . ,Wn he fresh variables; from P^ it follows that 

n n n 

h{x,zi,yi) /\62{x,Z2,y2) A f\{wi = Vi) hr \/(yi = Wi) V \/ {y2 = wt). 

i=l i=l 1=1 

Applying convexity, we obtain that there is some i such that either 

n 

<5lfell,2/l) A (^2 fe £2) 2/2) A l\{wi = Vi) hxyi = Wi 

1=1 
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or 

n 

Si{x,Zi,yi) AS2{x,Z2,y2) A f\iwi = Vi) ^t y2 = Wi 

i=l 

holds. Replacing the w's with the v's, this gives either 



or 



^i{x,z^,yi) /\52{x,z2,y2) \-Tyi = Vi 



Si{x,z^,yi) /\S2{x,Z2,y2) Hr y2 = Vi- 



In both cases (taking into consideration ([3])), we get Si{x,Zi,yi)A62{x,Z2,y2) l~r 2/i = Vi/\y2 = 
Vi, as required by @. 

Vice versa, when assuming the implication ([3]) =^ ([!]), it is very easy to show (by applying 
convexity) that T is equality interpolating^ D 

B.3 Proofs for Section [5] 

In this Subsection we prove the relevant properties (soundness, completeness, termination) 
of our combined interpolation algorithm CI(Ti,T2), where Ti,T2 are two signature-disjoint, 
stably infinite and equality interpolating theories whose SMT problems are decidable. 

Lemma B.4. If rules Decidex, Sharei and Terminatei do not apply to a pair A, B, then 

AiJ B is Ti U T2- satis fiable, unless _L G AU B. 

Proof. Let a,c the free constants occurring in A and b,c be the free constants occurring in 
B. If the above rules do not apply and _L ^ AU B, then Ai U Bi U {a Pi 6 = 0} is Tj-satisfiable 
for i = 1,2; moreover A contains an ^-assignment a and B contains a i?-assignement /3. 
This means that Ai U A2 entails A and Bi U B2 entails B, so that it is sufficient to show the 



Ti U T2-satisfiability of AiU A2LI BiU B2 only. The latter follows from Lemma \B.2\ because 
the sets 

@i = AiUBiU{anb = 0} 

satisfy the hypothesis of the Lemma. Pick in fact a pair of constants di , d2 from a, b, c: if 
they are both from a,c or both from b,c, then either di = d2 or di 7^ d2 belongs to 0j, as 
Q U /3 has assigned a truth value to di = d2. If one of them is in a and the other is in 6, then 
di ^ d2 (z Qi by construction. D 



^ Notice that in Definition 14.11 we can restrict Si,S2 to be conjunctions of literals, getting anyway an 
equivalent definition. In fact, if ^ holds, Si = \J ■ 6\j and 82 = Vfe ^2fe, then we can find tuples t; j. satisfying 
6ij A 62k ^T y y„ ri^jfc 7^ and finally get by juxtaposition a tuple v satisfying 0. 
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Theorein l5.2l LetTi andT2 be two signature disjoint, stably-infinite, and equality interpolat- 
ing theories having decidable SMT problems. Then, CI(Ti,T2) is a quantifier-free interpolation 
algorithm for the combined theory Ti L)T2. 

Proof. Let Aq, Bq be our input Ti U T2-unsatisfiable pair. By repeatedly applying our trans- 
formations Decidex, Sharej and Terminatej to it, we produce a tree r (the pairs labeling 
the successors of a node are the possible outcomes of our transformations, which are non 
deterministic). Clearly Decidex, Sharej and Terminatej are satisfiability-preserving, in 
the sense that a pair to which they are applied is Ti U T2-satisfiable iff one of the outcomes 
is. As a consequence, by Lemma IB. 41 _L must belongs to all pairs labeling the leaves. Thus, 
since Decide^, Sharej and Terminatej can all be justified by metarules, our tree r is an 
interpolating metarules refutation (and we are done by Proposition 15. ip . provided we show 
that T is finite. Finiteness of r is also needed to prove the termination of our algorithm. 

We apply Konig Lemma and show that all branches of r are finite. Notice that the 
transformation Decidex can be applied many times in a branch: this is because Share, 
introduces a new ground formula 6 and alters the definition of an ^-relevant and a i?-relevant 
atom (it introduces new AS-common constants by Term Sharing). However, Share, can be 
applied only finitely many times, as it decreases the number of yl-strict or i?-strict constants. 
Once Share, is no more applied, just single applications of Decide^i, Decide^, Terminatej 
are possible. D 
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C Quantifier elimination through universal axioms 

In this Appendix we give details concerning a couple of applications of Theorem H? 

C.l Integer Linear Arithmetic 

Presburger Arithmetic VIZA is the theory so specified. Its signature consists of the symbols 
0, 1, +, — , < in addition to the infinite predicates P„ (one for every n > 0). A set of axioms 
for VTZA is the following one 

Vx, y, z. X + {y + z) = {x + y) + z 

yx,y. X + y = y + X 

Mx. x + = X 

Mx. X + {—x) = 

Mx. X -^ X 

Vx, y,z. {x<y/\y<z^x<z) 

\/x, y. x<y\/x = y\/y<x 

Vx, y,z. x<y^x + z<y + z, 

0< 1, 

Vy.^(0<yAy < 1), 

Vx 3y. Vo<r<n x = ny + r 

Vx. Pn{x) 3y [ny = x) 

(we used the abbreviations nt for the sum of n-copies of t and n for nl). Presburger arithmetic 
enjoys quantifier-elimination: a detailed proof can be found e.g. in |12j or also in the online 
available noteqj L. Van Der Dries "Mathematical Logic Lecture Notes" (where we took the 
above axiomatization from). However, VTZA is not equality interpolating because VTZAuSUJ- 
does not enjoys quantifier- free interpolation [5]. 

In Subsection 14. H we proposed the theory CIA, comprising in its language also the unary 
function symbols diu[n] (representing integer division by n, for n > 1). In CIA, one can 
define Pn{x) as x rem[n] = (recall that x rem[n] abbreviate x — n[x div[n])). Using this 
definition, we can view CIA as a supertheory of VTZA, because all the axioms of VIZA are 
derivable in CIA\!\ We are ready to show that Theorem 14.31 applies to CIA: 

Proposition C.l. CIA is equality interpolating. 



http : / /vivivi .math . uiuc . edu/~vddries/" 
'^For the last one, show that the foUowing universal sentences are derivable in VTZA for every n > 0: 



Va;. na; = ^ a; = Vx. A nx ^ r 



0<r<n 
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Proof. In view of Theorem 14.31 since CIA is universal, we only need to show that CIA has 
elimination of quantifier. Let 4>{x) be an abritrary formula of CIA; consider an atom L 
occurring in (f) containing an occurrence of a term u of the kind t div[n]. Modulo CIA, the 
atom L is equivalent to 

3y y {t = ny + rAL[y/u]) (15) 

0<r<n 

(this is because Vo<r<n(^ = ny + r) -ir^ y = t div[n] follows from the axioms of CIA). We 
can then replace L by (|15p in (f) and get an equivalent formula. If we do this exhaustively, 
we obtain a formula (p' such that CIA h (^ (^'. Since, as we observed above, CIA is a 
supertheory of VTZA and the latter enjoys quantifier elimination, we can find a quantifier-free 
(t)"{x) such that CIA h o 0". n 

C.2 Unit-Two- Variable-Per-Inequality 

This theory (called UTVVI in the literature) is another interesting fragment of integer linear 
arithmetic, slightly more expressive than IDC. If can be defined as the theory whose axioms 
are the sentences true in Z in the signature comprising predecessor pred, successor succ, 
0, < and — (the latter is viewed as a unary symbol). We shall exhibit here a set of universal 
quantifier eliminating axioms for UTVVI (thus showing that UTVVI is equality interpolating 
too, thanks to Theorem 14. 3p . 

Like in the case of IDC, let us examine the shape of the atoms of UTVVI. They are 
equivalent to formulae having the form ±i M /"'(j) (for n G Z, ixi £ {=, <, >}]j where i,j 
are variables or the constant 0, f'^ij) is j, f {j) abbreviates succ{succ (j)) when k > or 
pred{pred^~'^{j)) when /c < 0. (Usually, ±i ixi f^{j) is written as i =b j ixi n or as i ixi n ± j). 

Proposition C.2. UTVVI is equality interpolating. 



Proof. We take inspiration from Lemma [B. 3 1 that is we directly supply a quantifier elimination 
algorithm for UTVVI satisfying (|12p (thus, the left to right sides of formulae (|12p will be the 
relevant axiomatization for UTVVI, once joined with the universal sentences in the signature 
of UTVVI which are true in Z)o As usual, it is sufficient to eliminate single existentially 
quantified variables from primitive formulae [lOj . This means that, since negation can be 
eliminated, we must consider formulae 3x (p where is a conjunction of atoms of the following 
kinds: 

X = rui ±ti, X < rrij ± Uj, x > ruk ± v^. 



We use > as a defined symbol {t > u stands for u <t). 
^ The latter are needed to normalize all atoms to the form j ixi n ± j. 
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where x does not occur in the ti,Uj,Vk (otherwise either (p is inconsistent or the atom is 
redundant or it simphfies to an atom of the above kinds). If there are hterals of the first kind, 
the quantifier 3x can be ehminated by substitution (this schema fits ()12p ). so suppose there 
are none. If there are no literals of the second kind or no literals of the third kind, 3x cf) is 
equivalent to T (use the terms pred{mj zb Uj),succ{mk ± Vk) to fit ()12p ). If there are both 
literals of the second and of the third kind, 3x(f) is equivalent to Vfc <?^('Succ(mfc =b Vk))- □ 
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D Equality interpolating and Beth definability 

In this Section we discuss the connection of the notions introduced in this paper with standard 
topics in mathematical logic and universal algebra. This complementary material is included 
here for the sake of completeness. 

Beth definability theorem [10] is a classical result in model theory; we show that in the 
convex case equality interpolating can be interpreted as a 'modulo theory' version of a Beth 
definability property. We find in the non-convex case too a 'Beth-like' formulation of equality 
interpolation. In the end, we use the Beth definability formulation of equality interpolation in 
order to briefly discuss the relationship between our results and well-known results concerning 
strong amalgamation from the algebraic literature. 

To begin with, we add a further equivalent characterization to the list (i)-(iii) of Theo- 
rem! 



Theorem 14.21 The following conditions are equivalent for a theory T having quantifier-free 
interpolation: 

(i) T is strongly suh-amalgamahle; 

(ii) T is equality interpolating; 

(iii) T satisfies the implication dS]) => d?]) (for every (5i,(52J; 

(iv) for every quantifier-free formula 6{x^ z_, y) such that 

S{x, z!, y[) A 5{x, /, y") h^ y' n y "/ (16) 

there are terras v_{x) such that 

S{x,z,y)hTynv^iD. (17) 

Proof. We already proved (in the previous formulation of Theorem 14.21 in Appendix |B]) that 
conditions (i)-(ii)-(iii) are all equivalent to each other. 

Assume (iv) and Q. Take y := y.iy^ ^"^^ P^t 5{x,y) := 6i{x,y ) /\S2{x,y ). Now notice 
that 6{x,]/^,]/^) A(5(x,y'^',y^') is 

•^i U, l/^ ) A 52 (x, y'2) A Si (x, yp A 52 {x, y'^') ; 

since by ([6]) we have 

<5i(x,y;)A52(x,y;')Hry;ny;V0 
a fortiori we get 

S{x, y; , y^) A Six, y'/, y'^') hr i/^i/^ n y'X / 0, (18) 
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By (iv), there are terms v{x) such that 6{x, y , y ) \~t IJ^y^'^V.T^ 0, which is the same as ([7]). 
For the vice versa, we suppose that (HD =^ (12D holds. Consider 6{x,z,y) such that (fTnj) 
holds. Then, we can find v{x) such that 

6{x, i', y') A 6{x, z!', f) hr (y' n i; / 0) V {f n 2; / 0) (19) 

holds. Making the substitutions z' 1— )• 2,, z" ^ z,y' ^ y,y" 1-^ y, this gives precisely (fT7|) . □ 

Condition (iv) above can be interpreted as a 'generalized Beth property'. The situation 
becomes clearer in the simplified convex case; we first restate Proposition 14. 4t 

Proposition l47il The following conditions are equivalent for a convex theory T having quantifier- 
free interpolation: 

(i) T is equality interpolating; 

(ii) T satisfies the implication ([3]) => ([H) (for every conjunctions of literals 61,62); 

(iii) for every pair x, z of tuples of variables, for every further variable y and for every con- 
junction of literals 6{x, z, y) such that 

6ix,z',y')A6ix,z!',y")^Ty' = y" , 

there is a term v{x) such that 

6{x,z,y) hry = v . 

Proof. Again, we already know from Appendix [B] that (i) and (ii) are equivalent. 

Assume that (iii) holds and consider 6i{x,Zi,yi), 62{x,z_2,y2) satisfying ^. Take 6{x,z_i,z_2,y) 
6i{x,zi,y) A62{x,Z2,y). Now 6{x,z!^,z!2,y') A (5(x, z'/, Z2,y") is 

6i{x,zi,y') A (52(x,Z2,y') A 6i{x,z(,y") A 52(x,i2,y"), 

hence (considering the first and the fourth conjunct) from ^ we get 

6{x,z!i,z!2,y') A 6{x,z(,/2,y") ^T y' = y"- 

By (iii), there is a term v{x) such that 

6i{x,z^,y) /\62{x,Z2,y) ^t y = v{x). (20) 

Again by ([3]), we obtain (after renamings) 

^i{x,zi,yi) A62{x,Z2,y2) ^t yi = 2/2 A52(^,l2>yi) ; 
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thus (taking into account (j20p ) also 

'5ifeli,yi) A(52(x,Z2,y2) ^TVi = ?/2 Ayi = v{x) 

and finally (gl). 

Vice versa, if (ii) holds and we have (5(x,z',y') A 6{x,z",y") \-t y' = y" , we can find v{x) 
such that 

S{x,z', y') A <5(x,i", y") ^^ y' = v ^y" = v ; 

applying the substitution z! i— )■ z, z" ^^ z,y' i-^ y, y" i— ?• y, this gives our claim 5{x, z, y) \-t 
y = V. U 

A primitive formula is obtained from a conjunction of literals by prefixing to it a string 
of existential quantifiers. We can reformulate the condition (iii) from Proposition 14.41 above 
as follows: 

(iii) ' for every tuple of variables x, for every further variable y and for every primitive formula 
&{x, y) such that 9{x, y') A 6{x, y") \-t y' = y", there is a term v{x) such that 9{x, y) \-t 
y = v. 



This is precisely Beth definability property [10], modulo T, for primitive formulae. Hence 
equality interpolating coincides with this 'primitive Beth definability property' in the convex 
case. 

To conclude, for the interested reader, we make some observations connecting the above 
result with the algebraically oriented literature (see [21] for a survey and for pointers to 
relevant papers). In an appropriate context from universal algebra, strong amalgamability is 
shown to be equivalent to the conjunction of amalgamability and of regularity of epimorphisms 
(alternatively: and of regularity of monomorphisms) . In the same context, unravelling the 
definitions and using presentations of algebras as quotient of free ones, it is not difficult 
to realize that the primitive Beth definability property above is equivalent to regularity of 
monomorphisms. Thus, our results perfectly match with the algebraic characterization of 
strong amalgamability. Our approach, however, is orthogonal to algebraic and category- 
theoretic approaches: such approaches are able in fact to prove characterizations of strong 
amalgamability that work in abstract sufficiently complete/cocomplete categories, including 
consequently categories having nothing to do with models of first order theories. On the other 
hand, existence of minimal categorical structure fails in our context as soon as we go beyond 
the universal Horn case. Thus, the two approaches are incomparable and this is reflected by 
the different techniques employed (we mostly rely on diagrams and compactness, whereas the 
category-theoretic approach mostly exploit universal properties). 
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E Interpolation with free fuction symbols 

In this paper, we treated quantifier free interpolation only with respect to variables, in the 
sense that we always considered all non variable symbols as shared symbols. This is not the 
notion of interpolation commonly used in verification, where also free functions and predicate 
symbols are not allowed to apper in the interpolants in case they do not occur in both the 
formula to be interpolated. We show here that this more general notion of quantifier free 
interpolation can be reduced to combined interpolation and thus that it is equivalent to strong 
sub-amalgamability too. 

Definition E.l. Let T be a theory in a signature S; we say that T has the general quantifier- 
free interpolation property iff for every signature T,' (disjoint from S) and for every finite sets 
of ground S U S'-formulse A, B such that AaB is T-unsatisfiablej^ there is a ground formula 
9 such that: (i) A T-entails 9; (ii) 9 A B is T-unsatisfiable; (iv) all predicate, constants and 
function symbols from S' occurring in 9 occur also in A and in B. 

Notice that the above definition becomes equivalent to the definition of quantifier free 
interpolation property introduced in Section [2] if we restrict it to the signatures T,' containing 



only constant function symbols. One may wonder whether Definition IE. II is the same as 
asking for quantifier free interpolation for all combined theoris T[j£UJ-{Ti'); at a first glance, 
it does not seem to be so because in Definition IE. II we require also that the function and the 
predicate symbols from T,' not occurring in both A, B do not occur in 9 either. We shall see 
however that such symbols are immaterial because they can be removed. 

Let us fix a theory T in a signature S and let S' be a further signature (disjoint from S). 
A finite set A of ground S U S'-formute is said to be T,Q-flat (for some Sq Q S') iff A is of the 
kind AqU Ai, where Ai does not contain Sg-symbols and Aq is a set of literals of the kind 

/(ai,... ,o„) = 6, P(oi,... ,a„), -.P(ai, . . . , a„) 

where /, P € Sq and ai, . . . , a„, 6 are constants not in Eg. 

Lemma E.2. Let T, S, T,' be as above and let the finite set of ground T,UT,' -formulis A be Sq- 
flat (for some Sq C T,'). Then it is possible to find a finite set of ground formulce A '-'' such 
that: (i) A ° does not contain T,Q-synibols; (ii) A T-entails A '^ ; (Hi) A~ " is T-satisfiable 
iff A is T-satisfiable. 



^°By this (and similar notions) we mean that A A B is unsatisfiable in all E'-structures whose E-reduct is 
a model of T. We use the same convention as in Section [5] and indicate with the letters A,B both a finite set 
of ground formulas and its conjunction. 
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Proof. Let A he Aq U Ai as prescribed in the definition of So-flatness. We take as A~^° the 
set of ground formulae Aq U^i where A'q is built as follows. For every function symbol / € Sq 
and for every pair of atoms /(ai, . . . , a„) = b, f{a'i, . . . , a^) = b' belonging to Aq we include 
in A'q the ground clause 

ai = a'l A- ■ ■ Attn = a'n ^ b = b'; (21) 

similarly, for every predicate symbol P G Sq and for every pair of literals P(ai, . . . , On), 
-iP(a'^, . . . , a^) belonging to Aq we include in A'q the ground clause 

oi = a'l A • • • A a„ = a^ ^ _L. (22) 

That A'q U Ai enjoys properties (i)-(ii) is clear; it remains to show that if it is T-satisfiable, 
so is Aq U ^iIIj Suppose indeed that A^ is a S U (S' \ So)-model of T in which A'q U Ai 
is true. We expand A^ to a S U S'-structure as follows. Let / € So have arity n and let 
ci, . . . , Cn be elements from the support of A^; then /-"^(ci, . . . , c„) is arbitrary, unless there are 
/(ai, . . . , an) = b & Aq such that ci = a^^, . . . ,Cn = a^: in this case, we put /•'^(ci, . . . , c^) 
to be equal to 6-^. Since AI is a model of the clauses (j21|) . the definition is correct. Similarly, 
if P G So has arity n, then P-^ is the set of n-tuples ci, . . . , c„ of elements from the support 
of AI such that there exists P(ai, . . . , fln) £ ^o such that ci = a-^, ••-,£„ = a{^. The literals 
from ^0 turns out to be all true by construction and because in A4 the clauses ()22p hold. D 

Theorem E.3. T has the general quantifier free interpolation property iff it is strongly sub- 
amalgamable iff it is equality interpolating. 

Proof. Since the general quantifier free interpolation property for T implies the (ordinary) 
quantifier free interpolation property for all the theories T U £UJ-{T,'), it is clear from Theo- 
rem [33] that the general quantifier free interpolation property implies strong sub-amalgama- 
bility. To show the vice versa, we use our metarules and Lemma lE. 2 1 above. 

Let S be the signature of T and let T,' be disjoint from S; fix also finite sets of ground 
S U S'-formulae A, B such that A A B is T-unsatisfiable. Let Tja be the set of predicate and 
(non constant) function symbols from S' that occur in A but not in B; similarly, let S^ be the 
set of predicate and (non constant) function symbols from S' that occur in B but not in A. 
We show how to transform A into a S^-fiat A by using metarules (a similar transformation is 
applied to B to get a S^-flat B). Using metarules (Definel), (Redplusl), (Redminusl) we can 
add 'defining atoms' /(ai, . . . , o„) = a (with fresh a) and replace all occurrences of the term 
/(ai, . . . , On) in A by a; if we do it repeatedly, A gets flattened, in the sense that function and 
predicate symbols (different from identity) in A are always applied to constants. With the 



'^The right-to-left side of (iii) is a consequence of (ii) 
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same technique, we can transform A into a conjunction of defining atoms and ground formulae 
in which function symbols from 'Ea do not occur. To take care of predicate symbols P G T,a_, 
we need guessings and metarule (Disjunctionl): for every atom P{ai, . . . ,an) occurring in 
A, we add either P{ai, . . . , an) or -iP(ai, . . . , a„) to A and replace P{ai, . . . , a„) with T or 
_L, respectively (notice that because of such guessings the transformation from A, B to A,B 
may be non-deterministic). Since metarules are satisfiability-preserving and are endowed with 
recursive instructions for computation of interpolants, it will be sufficient to find a desired 
interpolant 9 for A and B. 

If we apply the tranformations of Lemma lE.2l to AuB we can get {AuB)~'^-^ = A~^^ UB 
with the properties (i)-(iii) stated in that Lemma: in particular, function and predicate 
symbols from Tja do not occur anymore in A^ ^. We do the same for B and eventually 
we get A^B such that (a) AVi B is T-unsatisfiable; (b) A T-entails A^ B T-entails B\ (c) 
all predicate and (non constant) functions symbols occurring in A occur also in B and vice 
versa. Let Sc be the set of predicate and (non constant) function symbols occurring in 
both A and B. Since T is strongly amalgamable, by Theorem 13. 5| T U EUTiJ^c) has the 
quantifier- free interpolation propertyo Thus, there exists a ground formula Q containing, 
besides interpreted symbols from S, only predicate and function symbols from Sc, as well as 
individual free constants occurring both in A and in i?, such that A T-entails and B A9 is 
T-inconsistent. By (b) above, we get that A T-entails 9 and B A 9 is T-inconsistent, thus 9 
is the desired interpolant. 

The equivalence between strong sub-amalgamability and equality interpolating property 
comes from Theorem 14.21 D 



^^The proof of the right-to- left side of that Theorem does not need the requirement that Ec has at least a 
unary predicate symbol. 
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F A counterexample: golden cufF links 

Here we show by exhibiting a formal counterexample that the 'convex' formulation of the 
equality interpolating property is not sufficient to guarantee the modularity of quantifier-free 
interpolation for non-convex theories. Intuitively, the reason is that disjunctions of equalities 
must be propagated in the non convex case and the convex formulation of the equality interpo- 
lation property does not say anything about them. This Appendix can be read independently 
on the remaining part of the Technical Report. 

We say that a theory T has the YMc property ('convex Yorsh-Musuvathi property') 
iff it has quantifier-free interpolation property and moreover the implication ([3]) => ([1]) 
holds, i.e. for every pair 2/1,2/2 of variables and for every pair of conjunctions of literals 
^i{x,zi,yi), 62 {x,Z2,y2) such that 

h{x,z^,yi) /\62{x,Z2,y2) ^t Vi = 2/2 

there exists a term v{x) such that 

(^ifeli^yi) A (^2(^,^2.2/2) ^Tyi=v Ay2 = v. 

To build our counterexample, we introduce a theory CL which is meant to describe a set 
of cuff links, containing at most one pair of golden cuff links. Formally, in the signature Tiql 
of CL we have a unary function symbol (— )' and a unary predicate Gc3 The axioms of CL 
say that (— )' denotes the 'twin' cuff link 

Vx. x" = X, Vx. X ^ x' 

that twin cuff links are both golden or not 

Vx. C{x) o C{x') 

and that there is at most one pair of golden cuff links: 

VxV2/. G{x) A C{y) ^x = yy x' = y. (23) 

Lemma F.l. CL has the quantifier free interpolation property, because it has the sub- 
amalgamation (but not the strong sub-amalgamation) property. 

Proof. That the sub-amalgamation property holds is quite clear: suppose we are given models 
A4i, AI2 of CL sharing the substructure A (as a side remark, notice that A is also a model 
of CL because CL is universal). As usual, we assume that the intersection of the supports 



^A free constant co is added to the signature Ecl to prevent it from being empty. 
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of A^i and A42 is the support of A. To amalgamate A^i,7W2 over A, it is sufficient to take 
the union of the supports of Mi and A42, with just one proviso: if A^i, A^2 both contain a 
pair of golden cuff links that is not from A, then such pairs must be merged (the need of such 
merging is precisely what shows that strong sub-amalgamation fails). D 

Proposition F.2. CL has the YMc property. 

Proof. We shall work with free constants (instead of with variables). Consider finite sets of 
ground literals A, B in the signature Tiql enriched with additional free constants (let Y^a 
be the signature of A and S^ be the signature of B). We call AB-coToiaoTi the ground 
terms built up from free constants occurring both in A and in B; ground terms built up from 
constants occurring in A but not in B are called A-strict (i?-strict ground terms are defined 
symmetrically). We call a ground term or literal pure iff it is either from Y^a or from S^. We 
argue by contraposition. Suppose that, for an A-strict constant a and a i?-strict constant 6, 
there is no Ai?-common ground term t such that A\J B \-cL t = a At = b; we show that 
AU B \/cL a = 6 by exhibiting a S^ U S^-model M of CL such that M^ A,M\= B and 
7W ^ a = 6. 

We can freely make further assumptions on our A^ B: first, we can assume that there is at 
least one Ai?-common ground termj^j, that terms like d" do not occur in ^Ui?,L£| and that if 
a term occurs in A\^B^ so does its twin term (here the twin of a constant d is d! and the twin of 
(^ is (i)L£l Second, since the number of S^-ground literals is finite (modulo the identification 
of a term like t" with t), we can assume that if a S^i-ground literal is entailed (modulo CV) 
by A U i?, then it actually occurs in A (and similarly for B\. the addition of such entailed 
literals does not in fact compromize our claim. So, let us make the above assumptions. Notice 
that (since there is at least one ground Ai?-common term), our hypotheses imply that A\^B 
is CL-consistent, so no pair of contradictory literals can be there. 

We can divide the ground terms occurring in S^US^ into equivalence classes (similarly to 
what happens in congruence closure algorithms), according to the equivalence relation that 
holds among d\ and ^2 iff (i) either they both occur in A and d\ = d2 ^ A, or (ii) they 
both occur in B and di = d2 (z B, or (iii) di is A-strict, d2 is -B-strict and there exists an 
Ai?-common t such that di = t (^ A, d2 = t (^ B, or (iv) di is -B-strict, ^2 is ^-strict and 
there exists an Ai?-common t such that di = t (^ B , d2 = t ^ A. Notice that, because of our 
assumptions, the equivalence class of a is different from the equivalence class of b. 

Since there are no contradictory literals in AU B, we can build a S^ U S^-structure A in 
which all literals from AU B are true: the support of A is formed by the above equivalence 



^^Because Ecl has one. 

^^ Because they simplify to d. 

16 



To ensure the latter, we can just add literals like d' — d' to A or B, if needed. 
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classes, a free constant is interpreted as the equivalence class it belongs to, the twin C" of an 
equivalence class C is the equivalence class formed by the twin terms of the terms belonging 
to C; moreover, C is a golden cuff link in A iff G{t) (^ AU B (here t is any term belonging 
to C). Notice that A ^ a = b. However, we are not done, because A may not be a model 
of CL: the reason is that there might be more than one golden pair of cuff links. We now 
show how to merge all golden pairs of cuff links of A and get a model A4 of CL having the 
required properties, namely such that A4 \= A,A4 \= B and A4 ^ a = b. 

Consider two different pairs of golden cuff links C, C and D, D' (when we say that they 
are different as pairs of cuff links, we mean that C is different from both D and D'). We claim 
that if we merge C with D and C with D' as equivalence classes (i.e. if we identify them as 
elements from the support of A), we still have that the literals from A and B are true. In 
fact, this could possibly be not the case if there are t (^ C,u a D such that t ^ u (z Au B. 
However, literals in AuB are all pure, so that either t,u (z Sa oi t,u G T,b- Suppose t,u a Sa 
(the other case is symmetric); by the construction of A and since C,D are golden, we have 
that G{t), G{u) (z Au B and hence (by (|23p ) the entailed literal t = u' belongs to A, so that 
C = D' which means that C, C and D, D' are not different pairs of cuff links. 

In conclusion, whenever we pick two different pairs of golden cuff links C, C and D, D' 
from the support of A, we can merge C with D and D with D' , without compromizing the 
truth of ^ U -B; notice, however, that we can make the symmetric operation and merge C 
with D' and C with D, again keeping the literals m. AiJ B true. In the end, we can merge 
all golden pairs of cuff links into a single one; if a and b belong to C and D, respectively, 
and if C, D are both golden, we can choose the appropriate merging among the two possible 
ones, so that in the end we have that D is equal to C\ which implies that a and b remains 
interpreted as different elements in the support of the final model. D 

From the above results and Theorem 13.51 , we obtain: 

Corollary F.3. CL has the quantifier-free interpolation property and the YMc property, hut 
CL U £hiJ- does not have the quantifier free interpolation property (if the signature of ElAT 
has at least a unary predicate symbol). 

A direct counterexample to the quantifier-free interpolation property for the combined 
theory CL U £UJ- can be easily obtained by considering the following mutually unsatisfiable 
sets of ground literals 

A := {G(a),P(a),P(a')}, B := {G(6), -P(6), -P(6')} 

(here P is the extra free predicate). 
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